Overview of Important SSL Concepts

This section describes concepts to help you troubleshoot problems using SSL for Directory
Server multi-master replication. Problems with SSL always appear on the supplier side. The
error log will contain security related messages such as “SSL init failed.” or
“Certificate not accepted.”

SSL connections always involve two participants:

The SSL client, which is the LDAP client sending the LDAP requests or the Directory Server sending the replication updates (the supplier).

The SSL server, which is the Directory Server accepting the LDAP requests (the consumer).

The SSL client initiates requests and the SSL server always receives the requests.
During this exchange, the SSL server must provide credentials. Any SSL server needs
to verify the credentials sent by the SSL client. In order to make
this verification, the certificate database on the peer must contain the CA certificate
of the certificate sent by the other peer.

In replication, SSL must be enabled in all replicas, even master replicas that
only accept non-SSL operations. For example, a master server communicates with a hub
server using SSL. The hub must listen on the SSL port. The
master does not need listen on the SSL port because it is an
SSL client. However, it must still define an SSL port, otherwise Directory
Server can not initiate SSL certificate exchange for communication with the host server.

The ssltap tool can capture the SSL communications between two systems. You must
place the ssltap program between the connection from a Directory Server and an
LDAP client. The program behaves like a Directory Server when it communicates with
the LDAP client and behaves like the LDAP client when communicating with the
Directory Server.

Verifying the Certificates Using dsadm

The certificates database resides instance-path/alias directory. Get the contents of this directory
for each server involved in the problem.

For example, to see a list of the certificates that can be
used as ns-slapd certificates (certificates with a u,, trust flags) use the dsadm command
as follows:

dsadm list-certs instance-path

The command lists the certificates, such as defaultCert, the date from which it
is valid, the date it expires, whether it is self-signed, who issued it,
and to whom it is issued.

To see information about valid and trusted CA certificates (certificates with CT,, trust
flags) use the dsadm command as follows:

dsadm list-certs --ca instance-path

This command provides the certificate alias, its dates of validity and expiration, whether
it is built in, who issued it, and to whom it was
issued. Verify that the SSL server and client certificates are generated by a
certificate authorities that appear in the output of this command.

For detailed information about a particular certificate, use the dsadm command as
follows:

Confirm the validity of the certificate. Also, confirm that the issuer of the
certificate is a valid and trusted certificate authority.

Checking Client Authentication Settings

You can configure client authentication to be required or allowed. Verify the setting
client authentication settings by using DSCC or by using the dsconf get-server-prop ssl-client-auth-mode command.

Note - User's of migrated 5.2 instances of Directory Server can verify the client authentication
settings by checking the nsSSLClientAuth property in the dse.ldif file.

To Verify Client Authentication Settings Using the DSCC

Go to the Directory Servers tab in the DSCC, and select the
server from the table.

Click the Security tab and then the General tab.

In the Client Authentication section, go to LDAP Settings.

If you want only the SSL server to require the certificate, select
Allow Certificate Based Client Authentication.

If you want both the SSL server and the SSL client to
require a certificate, select Require Certificate Based Client Authentication.

Checking the Libraries

Get a list of all the dynamically loaded libraries to see which
NSS/SSL and NSPR libraries are being loaded. To get the list of dynamically
loaded libraries on Solaris Intel or Linux, use the following command:

# cd install-path/lib; ldd ns-slapd

To get the list of dynamically loaded libraries on Solaris SPARC, Solaris AMD64
or HPUX, use the following command:

# cd install-path/lib/64; ldd ns-slapd

The dynamically loaded libraries will be located in the following directory:

install-path/lib/private

Verify SSL Communications Using the ssltap Tool

You can use the ssltap tool to check if the hand shake is
working on your system. The tool works like an SSL proxy, showing the
communications between the LDAP client and the Directory Server and the packages being
exchanged. For example, using this tool you might see where the server asks
for a certificate but the client does not send the certificate or where
the client proposes a cipher suite that the server does not support.

Since the SSL port 636 is hard-coded on the client side, the
ssltap tool run on the Directory Server, where it must list on
port 636 for incoming client requests. The SSL port of the Directory Server
needs to be changed to a number other than 636 while running the
ssltap tool.

For example, run ssltap as follows:

ssltap -vhfsxl -p 636 localhost:637 > output.html

After running some simple LDAP request on the client, such as ldaplist,
the tool should have captures some SSL packets. Stop the tool by pressing
CTRL-C and view the output file in a browser window. The output data
is color coded so that data sent by the client is marked
in blue and data sent by the server is marked in red.